docs: replace manual cross-account setup with quiltx bucket add

[drernie]

Summary

• Replace manual bucket policy JSON and SNS configuration in CrossAccount.md with quiltx bucket add (available since quiltx v0.4.0)
• Remove s3:PutBucketNotification permission from docs — customers run quiltx in their own account, so the control account never needs this
• Simplify multi-region and security best practices sections accordingly
• Restructure install/preview blocks to eliminate redundancy (Greptile feedback)
• Add catalog discovery guidance — quiltx auto-detects the stack, no quiltx stack prerequisite needed

Context

Customer complaint: granting s3:PutBucketNotification to the Quilt control account is a security risk, and AWS's replace-not-append API means Quilt could stomp existing notifications. quiltx bucket add solves this by running in the customer's account and merging configurations safely.

See also quiltdata/quiltx#20 for removing notification permissions from QUILT_POLICY_ACTIONS.

Related: quiltdata/quiltx@1531596 — bucket add now auto-discovers the CloudFormation stack when no cached metadata exists, so users no longer need to run quiltx stack first.

Test plan

• Review rendered CrossAccount.md for coherence and correct step numbering
• Verify all quiltx commands shown are valid per quiltx v0.4.0
• Confirm no broken internal doc links
• quiltx tests pass (30/30)

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 44.32%. Comparing base (e8b996a) to head (7d11b55).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4803   +/-   ##
=======================================
  Coverage   44.32%   44.32%           
=======================================
  Files         813      813           
  Lines       32736    32736           
  Branches     5721     5721           
=======================================
  Hits        14511    14511           
  Misses      16224    16224           
  Partials     2001     2001           

Flag	Coverage Δ
api-python	92.65% <ø> (ø)
catalog	19.52% <ø> (ø)
lambda	96.63% <ø> (ø)
py-shared	98.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[greptile-apps]

Redundant install/preview blocks

The "Install quiltx" block shows uvx quiltx bucket add your-data-bucket --profile data-account --dry-run as its uvx example — that is a full command execution, not an installation step. The immediately-following "Preview changes with --dry-run" section then repeats the exact same command (without the uvx prefix), making it unclear whether both blocks should be run or just one.

Consider restructuring so the install block shows only how to get the tool (e.g. a note that uvx needs no install), and the preview block consolidates the dry-run invocation for both uvx and pip-installed usage:

Suggested change

	```json
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "QuiltCrossAccountAccess",
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::CONTROL-ACCOUNT-ID:root"
	},
	"Action": [
	"s3:GetObject",
	"s3:GetObjectAttributes",
	"s3:GetObjectTagging",
	"s3:GetObjectVersion",
	"s3:GetObjectVersionAttributes",
	"s3:GetObjectVersionTagging",
	"s3:ListBucket",
	"s3:ListBucketVersions",
	"s3:DeleteObject",
	"s3:DeleteObjectVersion",
	"s3:PutObject",
	"s3:PutObjectTagging",
	"s3:GetBucketNotification",
	"s3:PutBucketNotification"
	],
	"Resource": [
	"arn:aws:s3:::your-data-bucket",
	"arn:aws:s3:::your-data-bucket/*"
	]
	}
	]
	}
	```
	**Install quiltx:**
	**Apply the Policy:**
	**Console Method:**
	1. Go to **S3 Console** → **Your Bucket** → **Permissions** → **Bucket Policy**
	2. Paste the JSON above (replace `CONTROL-ACCOUNT-ID` and `your-data-bucket`)
	3. Click **Save changes**
	**CLI Method:**
	<!-- pytest-codeblocks:skip -->
	```bash
	# Save policy to file
	cat > bucket-policy.json << 'EOF'
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "QuiltCrossAccountAccess",
	"Effect": "Allow",
	"Principal": {
	"AWS": "arn:aws:iam::123456789012:root"
	},
	"Action": [
	"s3:GetObject",
	"s3:GetObjectAttributes",
	"s3:GetObjectTagging",
	"s3:GetObjectVersion",
	"s3:GetObjectVersionAttributes",
	"s3:GetObjectVersionTagging",
	"s3:ListBucket",
	"s3:ListBucketVersions",
	"s3:DeleteObject",
	"s3:DeleteObjectVersion",
	"s3:PutObject",
	"s3:PutObjectTagging",
	"s3:GetBucketNotification",
	"s3:PutBucketNotification"
	],
	"Resource": [
	"arn:aws:s3:::your-data-bucket",
	"arn:aws:s3:::your-data-bucket/*"
	]
	}
	]
	}
	EOF
	# Using uvx (recommended, no install required)
	uvx quiltx bucket add your-data-bucket --profile data-account --dry-run
	# Apply the policy
	aws s3api put-bucket-policy \
	--bucket your-data-bucket \
	--policy file://bucket-policy.json \
	--profile data-account
	# Or install with pip
	pip install quiltx
	```
	**🔒 Security Note:**
	> Quilt admins can still control user access to this bucket through the Quilt Admin Panel's Roles and Policies. The bucket policy only grants access to Quilt infrastructure, not end users.
	### Step 3: Configure Cross-Account SNS (Optional)
	**Preview changes with `--dry-run`:**
	**When You Need This:**
	If you're using [EventBridge integration](EventBridge.md) or have existing SNS topics in the Data Account that Quilt should use for notifications.
	<!-- pytest-codeblocks:skip -->
	```bash
	# Review planned bucket policy, SNS topic, and notification changes
	**Install quiltx:**
	<!-- pytest-codeblocks:skip -->
	```bash
	# Using uvx (recommended, no install required)
	# Or install with pip: pip install quiltx

Preview changes with --dry-run:

# Review planned bucket policy, SNS topic, and notification changes
uvx quiltx bucket add your-data-bucket --profile data-account --dry-run
# or, if installed via pip:
quiltx bucket add your-data-bucket --profile data-account --dry-run

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

[greptile-apps]

Missing Quilt catalog discovery guidance

quiltx bucket add is described as step 5 — "Registers the bucket in the Quilt catalog" — but the docs never explain how quiltx discovers which Quilt instance to register with. The command shown is just quiltx bucket add your-data-bucket --profile data-account with no Quilt endpoint, stack name, or environment variable mentioned. A new user following this guide has no idea whether to set a QUILT_STACK env var, pass an --endpoint flag, or rely on a local config file. Even a single sentence covering this would close the gap.